World

Why America should worry about hackers taking out a power plant in Ukraine

Around 4 p.m. on Dec. 23, much of western Ukraine's pastoral Ivano-Frankivsk region, an area about the size of Connecticut, was plunged into darkness.

The local electric utility in Ivano-Frankivsk acknowledged the blackout in a series of frantic messages posted on its website. Power had been lost across a vast area of the region and the cause was unknown.

Half an hour later, the utility said the outage was more widespread than originally assumed: About a quarter of a million customers were without electricity. Moreover, the utility had also lost control of its backup power supplies.

Inside the power plant, the system operators didn't know what to do. Many of their screens had frozen or gone black. Some looked scrambled. Still, system indicators appeared to show everything at the power plant was in working order.

"Nobody knew anything about what was happening," Oleksandr Tkachuk, chief of staff at the Security Service of Ukraine (SBU), told Mashable in an interview this week.

Eventually, it became clear that this was an "interference by outsiders" who had gained access to the utility's industrial control systems — the switches that regulate electricity flow out of the power plant.

In other words, it was a cyberattack.

A first-of-its-kind cyberattack

Employees work in the control room at the Trypillya thermal power plant in Ukrainka, about 31 miles south of Kiev, Ukraine, Thursday, Feb. 11, 2016.

Image: AP Photo/Sergei Chuzavkov

Last week, top American cybersecurity experts, who are investigating the incident with their Ukrainian counterparts in Kiev, acknowledged that the Prykarpattyaoblenergo electric utility had been attacked, reinforcing long held fears by government officials: That hackers would be able to attack and seize control over critical infrastructure.

"This is first time civilian infrastructure was intentionally attacked. It set international precedence," the SANS Institute's Robert Lee, a former Cyber Warfare Operations officer for the U.S. Air Force and co-founder of Dragos Security, told Mashable in a recent interview.

Washington, too, seemed to have taken notice. On Tuesday, the U.S. National Security Agency (NSA) chief, Admiral Michael Rogers, said it is a "matter of when — not if" a foreign nation-state attempts to launch a cyberattack on American critical infrastructure, citing the Ukraine cyberattack as a cause for concern, Reuters reported.

Speaking at the RSA cyber security conference in San Francisco, Rogers said he was also worried about potential cyberattacks from non-nation-state actors such as the Islamic State (ISIS).

Cyberattacks like these "keeps us up at night," David Cohen, deputy director of the CIA, recently told PBS NewsHour.

What exactly happened in Ukraine?

Ukrainian President Petro Poroshenko visits Rovenskaya nuclear power plant in Kuznetsovsk, January 29, 2016, following the cyberattack at Prykarpattyaoblenergo in December 2015.

Image: Nikolay Lazarenko/Sputnik via AP

Working remotely and over the course of several months, skilled hackers carried out what the U.S. government called a "synchronized and coordinated" cyberattack "following extensive reconnaissance" of Prykarpattyaoblenergo's network.

First, the hackers stole system operators' credentials, using malware embedded in spear phishing emails, and then learned how to switch off the utility's industrial control systems.

On Dec. 23, from inside those systems, the hackers switched off the stream of electricity leaving the plant. They then launched a telephone denial-of-service (TDoS) attack against the utility's call center so customers couldn't report the blackout.

Around the same time, the hackers "paralyzed work of the company as a whole" with malware that disabled and erased data from some computers and servers, Prykarpattyaoblenergo said in a note published last month.

It was discovered later that Prykarpattiaoblenergo wasn't the only utility attacked that day. Cyberattacks were also launched against two other power plants in central Ukraine, Tkachuk said.

Nikolay Koval, who once headed the Ukraine's CERT before becoming CEO of the Ukrainian security firm CyS Centrum and is involved in the ongoing investigation, told Wired last month that he thought at least six points of infrastructure had been targeted.

"And the list of the attacked may be far bigger than we are aware of," he told the magazine.

Tkachuk confirmed to Mashable that Kiev's Boryspil International Airport was found to have been infected with the same malware, but was never attacked.

Who is behind the attack?

The investigation into who was behind the attack is ongoing. But Tkachuk and other Ukrainian security officials who spoke with Mashable blame Russian agents. They say it was an effort to intimidate Ukrainian officials by showing Moscow could turn out the lights in Ukraine at any time.

Ukraine has been fighting a war against pro-Russian separatists and Russian forces in the east of the country since April 2014, shortly after Moscow annexed Crimea the month before.

Ukrainian officials admitted it is also possible the cyberattack was retaliation for Kiev cutting off electricity to the Russian-occupied Crimean peninsula late last year.

A mobile gas turbine power plant works to provide electricity in Stroganovka village outside Simferopol, Crimea, Sunday, Nov. 22, 2015. Russia's Energy Ministry says nearly 2 million people on the Crimean Peninsula are without electricity after two transmission towers in Ukraine were damaged by explosions.

Image: AP Photo/Alexander Polegenko

Deputy Secretary at the U.S. Department of Energy Elizabeth Sherwood-Randall told CNN earlier this month that Russia was behind the cyberattacks on the Ukrainian power grid.

But attribution, besides the diplomatic challenges it could present, can be very tricky. Lee, for one, is wary of pointing the finger directly at the Russian government as being behind the attack.

"There is little doubt in my mind that this was a remote and intentional coordinated attack that caused the power outage," he said. "But if this was a Russian company, have they been asked, allowed, paid to do these operations? We just aren't sure yet."

Koval told Mashable he's sure the attacks were organized by Russian speakers, but "whether it was state-sponsored or not, I don't know."

Tkachuk of the SBU says his team has information "showing links to Russian security services and APT 28," a group of highly sophisticated Russian hackers closely connected to the Russian intelligence community, he said.

Russian President Vladimir Putin is seen on a computer screen in Moscow. Ukraine and the U.S. believe Russian hackers were behind a cyber attack on a Ukrainian power plant in December 2015.

Image: DENIS SINYAKOV/AFP/Getty Images

"We were able to identify using different forensic tools the nexus between the attack and the Russian Federation, to the extent it's possible," Tkachuk said. "We were able to analyze source code used to attack our networks, and the pattern of attack, and our investigators are quite certain it originated in the Russian Federation and was coordinated by the Russian Federation."

He insists the SBU can prove beyond a reasonable doubt that "the culprit is in Russia and connected to the Russian government."

The Kremlin did not immediately respond to requests for comments.

The U.S. government has not explicitly blamed Russia for the attack — at least not publicly.

What does stand out to American and Ukrainian investigators as well as Lee and other independent analysts, and has them looking at Russia is the presence of a version of BlackEnergy, a form of malware used previously by the Moscow-backed hacking group known as the Sandworm Team in cyberattacks.

A warning to the U.S. and the world

A helicopter view of the U.S. Capitol building on Capitol Hill, January 28, 2016 in Washington, DC.

Image: BRENDAN SMIALOWSKI/AFP/Getty Images

In the case of Ukraine, experts say the old technology the country's still uses in its power plants might have actually been the thing that saved it. Unlike many Western countries, Ukraine's plants still have circuit breakers that can be flipped manually.

If the U.S., for example, was targeted in a similar way, it likely wouldn't be able to do the same, Lee told Mashable.

"Because systems in Ukraine have manual options, they can be fixed quickly," he said. "But U.S. automated systems couldn't recover as quickly."

Still, Lee said, "to cause physical destruction in any long period of time is so much more difficult than people understand. Cascading power outages are extremely difficult."

But is it possible?

"The threat is real but the sky isn't falling," Lee said. "But if we don't address this appropriately, this will be a bellwether for what is allowed to happen."

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.